How to restricted user Access to called SAP Transactions

Via SE97 Transaction you can control whether the SAP system will block or allow a user called transaction, You might want to do this if you discover that user is able to reach a SAP transaction via indirect methods, even if he not authorized to do, Every time a user start a SAP transaction code the SAP Kernel will check the transaction code against the authorization object S_TCODE.

How to do it.

For example you have started transaction ME22N ( Change purchase order ) and you are working on a purchase order, you can see material number DPC-CPU-2600.

If you double click on field material number on item level you will jump to transaction MM03 ( Display Material )

If you look at ABAP Code you’ll discover transaction MM03 called indirectly from ME22n Transaction. you’ll then discover that table TDCOUPLES is responsible for the explicit authorization on called transaction, you can see and modify content of table TDCOUPLES using transaction SE97.

You must also understand the possible combinations of column CHECK IND :

If the values is set to YES, an authorization check is performed when the ABAP statement CALL TRANSACTION run.

If the values is set to NO, no authorization check is performed.

You can see on picture, in this example MM03 is set to X so check authorization will be performed, if the values is set to blank the behaviour of the SAP System is related to system parameter auth/check/calltransaction .

Using Transaction SE97 you can adjust the values of TCDCOUPLES records to meet your security goals.